The European Commission adopted its evaluation report on the Data Retention Directive this week. The Commission lived down to our expectations, with the report itself and the Commissioner’s press conference producing an imaginative selection of misleading statements. The following are ten of the most egregious examples:
This is a contribution by Joe McNamee, Advocacy Coordinator of European Digital Rights (EDRi). Bits of Freedom is a founding member of EDRi, the European umbrella organisation of 29 civil rights organisations in 19 EU Member States. In anticipation of the Commission to hide the numerous failures of the Directive by omission and dissemblance, EDRi produced a “shadow report” (PDF) providing a more accurate assessment of the Directive, using the Commission’s own methodology.
1. The evaluation report shows value of “retained data”
In its implementation report and its press spin, the Commission made repeated reference to the value of retained data for law enforcement purposes. What it studiously avoided saying is that the vast majority of the data used for law enforcement purposes do not rely on the Data Retention Directive.
2. The Madrid and London bombings showed the need for data retention
The Commission seeks to justify the excesses of the Directive by referring to the terrorist attacks in Madrid and London. Retained data were indeed useful in Madrid – but the data used were retained by operators for billing purposes and, therefore, irrelevant to the Data Retention Directive.
3. “Data retention is a necessary measure”
The European Commission neither sought nor was provided with any evidence that the extra data retained under the Data Retention Directive was either necessary or useful. In the absence of any evidence, it is impossible for the Commission to credibly make this statement.
4. “Industry needs data retention”
It is equally not necessary for the industry, which fought against the measure prior to its adoption and has seen the range of rules and obligations get more and more onerous and fragmented as the Commission has
lobbied for adoption of the Directive by the Member States. Why would the industry need an instrument which creates rather than removes barriers?
5. The Constitutional Courts did not criticise data retention per se.
This is factually untrue in relation to Romania, while the Czech Constitutional Court expressed doubt on the principle of data retention in its obiter dicta.
6. The Commission must take infringement proceedings against Member States that have not implemented the Directive
It is remarkable that the Commission is acting vigorously against Member States that have not implemented the Directive, yet has taken no measures – and has threatened no measures – against Member States that have implemented it incorrectly in ways which further undermine citizens’ rights. Examples include countries that have been identified in the report that have no process for deleting the data once it has exceeded the retention period.
7. The Directive was asked for by the Member States unanimously
Member States have never unanimously asked for a Data Retention Directive. In fact, it was precisely because unanimity was not possible that the EU was not able to adopt data retention as a security measure. As a result of that failure of Member States to achieve unanimity, the Commission proposed a Directive, to force Member States that do not believe that data retention is necessary to impose it anyway.
8. There are no examples of abuses of retained data
The Commission’s document suggests that there are no examples of retained data being abused. This is despite the fact that the Commission is aware of at least two major abuses, namely:
– German telecommunications giant Deutsche Telekom illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in order to try to find leaks. The company used its own data pool as well as that of a domestic competitor and of a foreign company.
– In Poland retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial control.
9. Some of the data retention is “permitted” by the E-Privacy Directive, rendering analysis of the impact of the Data Retention Directive complicated.
This analysis is bizarre. The Commission itself made a statement when the E-Privacy Directive was adopted saying that the E-Privacy Directive “should neither prohibit nor approve any particular measure Member States may deem necessary,” because a single market instrument could not place limits on a third pillar (i.e. law enforcement) policy area. No retention measure is therefore permitted by the E-Privacy Directive.
10. Data from 20 Member States shows an average of 148 000 requests per year for retained data
Statistically correct, this statement by Commissioner Malmström omits to mention that half of those requests were in one Member State, Poland, which has implemented the Directive in a way which permits vast abuses of the data being retained. Commissioner Malmström in her speech went on to say that “if the data were not helpful, law enforcement authorities would presumably not spend human and financial resources on requesting them in those numbers”. She is either unaware or indifferent to the fact that they are not asking for the data in those numbers – apart from Poland, they are asking for vastly fewer data.